230 likes | 475 Views
7. Using Trust for Role-Based Access Control (RBAC). Prof. Bharat Bhargava Center for Education and Research in Information Assurance and Security (CERIAS) and Department of Computer Sciences Purdue University http://www.cs.purdue.edu/people/bb bb@cs.purdue.edu
E N D
7. Using Trust for Role-Based Access Control (RBAC) Prof. Bharat Bhargava Center for Education and Research in Information Assurance and Security (CERIAS) and Department of Computer Sciences Purdue University http://www.cs.purdue.edu/people/bb bb@cs.purdue.edu Collaborators in the RAID Lab (http://raidlab.cs.purdue.edu): Prof. Leszek Lilien (former Post Doc) Dr. Yuhui Zhong (former Ph.D. Student) This research is supported by CERIAS and NSF grants from IIS and ANIR.
Using Trust for Role-Based Access Control - Outline 1) Access Control in Open Systems 2) Proposed Access Control Architecture 2.1) Basics 2.2) RBAC & TERM server 3) TERM server 3.1)Basic 3.2)Evidence Model 3.3)Architecture • Credential Management (CM) • Evidence Evaluation (EE) • Role Assignment (RA) • Trust Information Management (TIM) 3.4)Prototype TERM server
1) Access Control in Open Systems (1) • Open environment (like WWW, WiFi networks) • User who may not be known in advance • Still must determine the permission set for an unknown user • Common approach: Grant access based on user’s properties demonstrated by digital credentials • Problems with credentials • Holding credentials does not assure user trustworthiness • Evidence provided by different credential issuers should not be uniformly trusted (apply “degrees of trust”)
1) Access Control in Open Systems(2) • A solution for problems with credentials: • Trust should be used by access control mechanisms • To limit granting privileges to potentially harmful users • How to establish trust ? • In particular with “newcomer” devices • What do we need to know about a pervasive device, in order to make a trust decision? • Using trust for attribute-based access control • Identity-based access control is inadequate in open environments (e.g., vulnerable to masquerading) • Multi-dimensional attribute set to determine trust level
2.1) Proposed Access Control Architecture - Basics Information System Access Control Mechanism Authorized Users Other Users • Authorized Users • Validated credentials (first-hand experience and second-hand recommendations) AND • Trust based on history of cooperative and legitimate behavior • Other Users • Lack of required credentials OR • Lack of trust resulting from history of non-cooperative or malicious behavior
TERM Server Request roles user Send roles Request Access Respond RBAC enhanced Web Server 2.2) Proposed Access Control Architecture -RBAC & TERM Server • Role-based access control (RBAC) • Trust-enhanced role-mapping (TERM) server cooperates with RBAC
3.1) TERM Server - Basic Concepts(1) • Evidence • Credentials • Statement about some properties of a subject • Examples: X.509, PICS rating • Issuer’s opinion • Allows issuer to express confidence w.r.t. her statement (recommendation) • Widely used in daily life • Example: Reviewer’s familiarity with topic on review forms • Not supported by current credentials • Evidence • Associate issuer’s opinion with credentials • Reliability of evidence • Trust w.r.t. evidence from the viewpoint of the relying entity (i.e. TERM server) • Combination of the trust w.r.t. the issuer and the issuer’s opinion
3.1) TERM Server - Basic Concepts(2) • Trust based on interpretation of observations of users behaviors • Inherently uncertain • User’s behavior affected by multiple reasons • Example: Reasons why a user provides incorrect information • Dishonesty / Error / Other reasons • Trust context • Trust is context-specific • Example: Bob trusts his doctor w.r.t. health problems but not w.r.t. flying with him • Different trust characteristics are emphasized in different contexts • Trust characteristisc may have different meanings in different contexts • Research questions: • How to represent contexts? • How to propagate trust among contexts? • Trust in a user and issuer (of recommendations) • Trusting a user: belief that user is cooperative • Trusting an issuer: believe evidence provided by issuer
3.2) TERM Server – Evidence Model (1) • Direct experience • User’s or recommendation issuer’s behavior observed by TERM • First-hand information • Recommendation • Recommender’s opinion w.r.t. trust in a user/issuer • Second-hand information
3.2) Evidence Model (2) • Design considerations: • Accommodate different forms of evidence in an integrated framework • Support reliability evaluation • Evidence type • Specify information required by this kind of evidence • (et_id, (attr_name, attr_domain, attr_type) *) • E.g.: (student, [{name, string, mand}, {university, string, mand}, {department, string, opt}]) • Evidence • Evidence is an instance of an evidence type
3.2) Evidence Model(3) • Opinion • (belief, disbelief, uncertainty) • Probability expectation of Opinion • Belief + 0.5 * uncertainty • Characterizes the degree of trust represented by an opinion • Alternative representation • Fuzzy expression • Uncertainty vs. vagueness • Evidence statement • <issuer, subject, evidence, opinion>
user’s trust users’ behaviors assigned roles trust information mgmt role assignment evidence evaluation issuer’s trust evidence statement, reliability evidence statement user/issuer information database credential mgmt credentials provided by third parties or retrieved from the internet role-assignment policies specified by system administrators Component implemented Component partially implemented 3.3) TERM Server Architecture (1) Credential Management (CM) – simply transforms different formats of credentials to evidence statements Evidence Evaluation (EE) - evaluates reliability of evidence statements Role Assignment (RA) - maps roles to users based on evidence statements and role assignment policies Trust Information Management (TIM) - evaluates user/issuer’s trust information based on directexperience and recommendations
a) CM - Credential Management • Transforms different formats of credentials to evidence statements
b) EE - Evidence Evaluation • Develop an algorithm to evaluate reliability of evidence • Issuer’s opinion cannot be used as reliability of evidence • Two types of information used: • Evidence Statement • Issuer’s opinion • Evidence type • Trust w.r.t. issuer for this kind of evidence type
Evidence Evaluation Algorithm Input: evidence statement E1 = <issuer, subject, evidence, opinion1> Output: reliability RE(E1) of evidence statement E1 Step1: get opinion1 = <b1, d1, u1> and issuer field from evidence statement E1 Step2: get the evidence statement about issuer’s testify_trust E2 =<term_server,issuer, testify_trust, opinion2> from local database Step3: get opinion2 = <b2, d2, u2> from evidence statement E2 Step4: compute opinion3 = <b3, d3, u3 > (1) b3 = b1 * b2 (2) d3 = b1 * d2 (3) u3= d1 + u1 + b2 * u1 Step5: compute probability expectation for opinion3 = < b3, d3, u3 > PE (opinion3) = b3 + 0.5 * u3 Step6: RE (E1) = PE (opinion3)
c) RA - Role Assignment • Design a declarative languagefor system administrators to define role assignment policies • Specify content and number of evidence statements needed for role assignment • Define a threshold value characterizing the minimal degree of trust expected for each evidence statement • Specify trust constraints that a user/issuer must satisfy to obtain a role • Develop an algorithm to assign roles based on policies • Several policies may be associated with a role The role is assigned if one of them is satisfied • A policy may contain several units The policy is satisfied if all units evaluate to True
RA Algorithm for Policy Evaluation Input: evidence set E and their reliability, role A Output: true/false P ← the set of policies whose left hand side is role A while P is not empty{ q = a policy in P satisfy = true for each units u in q{ if evaluate_unit(u, e, re(e)) = false for all evidence statements e in E satisfy = false } if satisfy = true return true else remove q from P } return false
RA Algorithm for Unit Evaluation Input: evidence statement E1 <issuer, subject, evidence, opinion1> and its reliability RE (E1), a unit of a policy U Output: true/false Step1: ifissuer does nothold the IssuerRole specified in U or the type of evidence does not match evidence_type in U then return false Step2: evaluate Exp of U as follows: (1) if Exp1 = “Exp2 || Exp3” then result(Exp1) = max(result(Exp2), result(Exp3)) (2) else if Exp1 = “Exp2 && Exp3” then result(Exp1) = min(result(Exp2), result(Exp3)) (3) else if Exp1 = “attr Op Constant” then if Op {EQ, GT, LT, EGT, ELT} then if “attr Op Constant” = true then result(Exp1) = RE(E1) else result(Exp1) = 0 else if Op = NEQ” then if “attr Op Constant” = true then result(Exp1) = RE(E1) else result(Exp1) = 1- RE(E1) Step3: if min(result(Exp), RE(E1)) threshold in U then output true else output false
d) TIM - Trust Information Management • Evaluate “current knowledge” • “Current knowledge:” • Interpretations of observations • Recommendations • Developed algorithm that evaluates trust towards a user • User’s trustworthiness affects trust towards issuers who introduced user • Predict trustworthiness of a user/issuer • Current approach uses the result of evaluation as the prediction
3.4) Prototype TERM Server Defining role assignment policies Loading evidence for role assignment Software: http://www.cs.purdue.edu/homes/bb/NSFtrust.html
Our Research at Purdue • Web Site: http/www.cs.purdue.edu/homes/bb • Over one million dollars in current support from: NSF, Cisco, Motorola, DARPA • Selected Publications • B. Bhargava and Y. Zhong, "Authorization Based on Evidence and Trust", in Proc. of Data Warehouse and Knowledge Management Conference (DaWaK), Sept. 2002. • E. Terzi, Y. Zhong, B. Bhargava, Pankaj, and S. Madria, "An Algorithm for Building User-Role Profiles in a Trust Environment", in Proc. of DaWaK, Sept. 2002 . • A. Bhargava and M. Zoltowski, “Sensors and Wireless Communication for Medical Care,” in Proc. of 6th Intl. Workshop on Mobility in Databases and Distributed Systems (MDDS), Prague, Czechia, Sept. 2003. • B. Bhargava, Y. Zhong, and Y. Lu, "Fraud Formalization and Detection", in Proc. of DaWaK, Prague, Czech Republic, Sept. 2003.